Pi-hole as additional ad-firewall and (unbound) DNS within Qubes

I already have a pi-hole running on a SBC. Now, I was wondering if it makes sense and how to setup a pi-hole directly inside Qubes.

My main two questions are

A) what order makes most sense:

  1. firewall > sys-net > pi-hole
  2. firewall > pi-hole > sys-net
  3. pi-hole > firewall > sys-net

and B) what would be the best VM OS and type ?

sources:




1 Like

OK, I run pihole for a few VM from this doc with is based on Patrizio work. As I prefer NextDNS but this setup work with every DNS that you can think of.

I use debian-minimal with Networking essentials but setup work with every template.

My setup is kind of
pi-hole>firewall>sys-net

Im not sure why it would make sense. I run a unbound and pihole on a freenas vm and then my router just hands out them with the dhcp-requests to sys-net.

So, you have a AppVM > firewall > pi-hole (freenas vm) > sys-net Qubes setup, correct?

I don’t know either :slight_smile:
It was just an idea since we already have a Qubes firewall onboard … so why not having your own DNS (unbound) … malware, regex blocklists … within Qubes (before transmitting anything to your router).

The RPi pi-hole with its web interface is already doing an awesome job. My main question, is there any advantage / disadvantage to have it running as Qube vs. on a SBC (wrt privacy and security)?

1 Like

@Rooftop concerning your post: Restricting a Qube to selected websites

Here, beside the DNS setup are you also interested in testing a pi-hole setup for black-/white listing of websites? I would love to have this as a standard option(!) for Qubes OS. At least a community doc to simple setup pi-hole in Qubes OS.

Pi-hole offers so much more like RegEx, Punycode and Emoji-Domains blocking and a super nice and easy web interface.

Interest, time?

1 Like

I think there was a guide for that on the Qubes community doc already. Just check that.

There is also this which looks pretty straight forward (but I haven’t tried it - maybe one day…)

How to configure PiHole in QubesOS (ProxyVM).

1 Like

Both guides mentioned used to work. But they stopped working in qubes 4.1 recently. @unman Can you suggest what may be the reason that Pi-hole VM not picking traffic from downstream VMs.